Fitness tracking app reveals staff activity at military bases.

Strava's "heatmap" raised security concerns by exposing the exercise habits of military personnel throughout bases worldwide.

Strava, a San Francisco-based company that offers an online fitness tracker, has released a “heatmap” showcasing exercise activity of its users all around the world.

The app records exercise activity by utilizing a cell phone’s GPS or through collecting data from fitness devices like FitBit or Jawbone. Subscribers can track their own performance and compare their results with others.

Strava’s heatmap is a form of data visualization that showcases the activity of its 27 million worldwide users, according to the company. The latest version includes data collected from 2015 to November 2017, which is when the map was released.

The newest version, Strava said, was built from one billion activities and three trillion data points that covers over 27 billion kilometers of distance ran, biked or swum.

Nathan Ruser, a 20-year-old Australian university student studying international security, said he was browsing a cartography blog when he came across the heatmap.

Ruser, who also works with the Institute for United Conflict Analysts, quickly made the connection as to why the heatmap was lighting up the structure of military bases around the world.

He said he realized that a large amount of active duty military personnel had been publicly sharing their location data through the app. Therefore, they were allowing their regular exercise routes and movement inside and around the bases to be highlighted – which is a security concern.

“I just looked at it and thought, ‘oh hell, this should not be here – this is not good,”

Ruser said.

“I thought the best way to deal with it is to make the vulnerabilities known so they can be fixed.”

“Someone would have noticed at some point. I just happened to be the person who made the connection.

Though the location of the world’s military bases are well-known, the heatmap provides insight into which bases are being used and the habitual routes taken by military personnel.

The level of activity is defined by the intensity of the light on the heatmap. And, the heatmap doesn’t just show exercise routes – it includes location data both inside and outside the base walls. For example, the heatmap may be exposing a well-used patrol road.

“You can establish a pattern of life,”

Ruser said.

Bases that are most affected are those in remote areas. The activities of a single personnel can light up the heatmap, allowing it to stand out as an isolated “hotspot.” Location data from exercise activities are prominent in Syria, Yemen, Niger, Afghanistan and Djibouti.

In addition to military personnel, aid workers and NGO staffers in remote areas may also be affected.

Privacy is an option in Strava’s app. Users have the capability to opt out of data collection for the heatmap – even for activities shared publicly – or to set up “privacy zones” in certain locations.

The key, however, is that users must manually opt out. Journalist Rose Spinks expressed concern in an article for Quartz last year about the privacy system.

“’If you don’t like something, you can opt out of it’ is something we hear a lot in the consumer-facing tech world,”

Spinks wrote.

“The problem with this attitude is that it puts the onus on consumers to ensure they’re being respected and lets companies off the hook – the assumption being that they can bank on a good number of users being too lazy, confused or negligent to opt out.”

“And, in cases where privacy is a concern, it can be downright dangerous.”

Strava released a statement saying that the heatmap data had been “anonymized,” and it “excludes activities that have been marked as private and user-defined privacy zones.”

The U.S. military has been examining the heatmap, a spokesman said. Maj Audricia Harris, a spokeswoman for the U.S. Department of Defense, said the department takes

“matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required.”